b'                      SPECTO\n                 IN            R\n             F                     G\n         O                             E\n     E\n\n\n\n\n                                       N\n     C\n\n\n\n\n                                           E\nFI\n\n\n\n\n                                           RA\nOF\n\n\n\n\n                                               L\n                                                   OFFICE OF INSPECTOR GENERAL\n                                                        EXPORT-IMPORT BANK\n                                                         of the UNITED STATES\n\n\n\n\n   AUDIT OF INFORMATION\n  TECHNOLOGY SUPPORT FOR\nEXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\n\n\n                                                                 January 24, 2012\n                                                                    OIG-AR-12-04\n\x0cOffice of Inspector General              Export-Import Bank\n                                         of the United States\n\n\nJanuary 24, 2012\n\n\nMEMORANDUM\n\nTO: \t                Alice Albright\n                     Executive Vice President and Chief Operating Officer\n\n                     Fernanda Young\n                     Chief Information Officer\n\nFROM:                Christine Staley\n                     Senior Auditor\n\n\nSUBJECT:        Audit of Information Technology Support for Export-Import Bank\xe2\x80\x99s Mission\n\nThis memorandum transmits Audit Report OIG-AR-12-04, Information Technology Support for Export-\nImport Bank\xe2\x80\x99s Mission. The Office of Inspector General engaged BDO USA, LLP to perform the audit\nunder a contract managed by this office. The objective of this audit was to determine whether Ex-Im\nBank is minimizing the cost and maximizing the usefulness of its key IT systems to meet Ex-Im Bank\xe2\x80\x99s\nmission.\n\nThe audit found that, while the business operations at Ex-Im Bank are functioning and transactions are\nbeing processed, the IT systems are not supporting these operations efficiently and effectively. Overall,\nEx-Im Bank IT systems and databases do not always capture and manage all necessary data for\nbusiness needs and antiquated IT applications cause workflow inefficiencies. In addition, because not all\napplications for Ex-Im products are electronically accepted and/or processed in a centralized database,\nand because Ex-Im Bank\xe2\x80\x99s IT systems are not integrated, certain key data has to be manually entered\ninto different Ex-Im Bank systems and transaction records hard copied to complete workflow processing\ntask(s). In sum, the present IT application infrastructure makes it difficult for Ex-Im Bank to provide timely\nservice, effectively manage and track its programs, measure progress, and increase productivity.\nFurthermore, Ex-Im Bank does not have practices to effectively manage its strategic planning, IT\nspending, and the System Development Life Cycle and Program Change Management process.\n\nWe made eleven recommendations to address these findings. Management concurred with the findings\nand recommendations.\n\nWe appreciate the courtesies and cooperation provided to the auditors during the audit. If you have any\nquestions, please call me at (202) 565-3996.\n\n\ncc:\nFred P. Hochberg, Chairman and President\nAudit Committee\nMichael Cushing, Senior Vice President, Resource Management\nJohn McAdams, Senior Vice President, Export Finance\n\x0cJohn Lowry, Director, Information Technology Security and System Assurance\nRobert Fuller, Director, Information Technology Systems Engineering\nDavid Sena, Acting Senior Vice President, Chief Financial Officer and Audit Liaison\nMichele Kuester, Vice President, Operations and Data Quality\nRobert Morin, Vice President, Transportation Portfolio Management\nJeffrey Abramson, Vice President, Trade Finance\nRichard Brackley, Managing Director, Claims and Recoveries Section\nPatricia Wolf, Supervisor, Financial Reporting\n\x0c                                          Tel: 212-885-8000         100 Park Avenue\n                                          Fax: 212-697-1299         New York, NY 10017\n                                          www.bdo.com\n\n\n\n\nJanuary 20, 2012\n\n\nChristine Staley\nSenior Auditor\nOffice of Inspector General\nExport-Import Bank of the United States\n811 Vermont Avenue, N.W.\nWashington, D.C. 20571\n\n\nSubject: Report on Information Technology Support for Export-Import Bank\xe2\x80\x99s Mission.\n\n\nDear Ms. Staley:\n\nThis letter submits our final report representing the results of our audit of how\ninformation technology (\xe2\x80\x9cIT\xe2\x80\x9d) supports Export-Import Bank\xe2\x80\x99s mission. The objective of\nthis audit was to evaluate whether the IT systems at the Export-Import Bank of the\nUnited States (\xe2\x80\x9cEx-Im Bank\xe2\x80\x9d or \xe2\x80\x9cEx-Im\xe2\x80\x9d) are able to effectively and efficiently support\nthe Ex-Im Bank mission.\n\nWe conducted our performance audit in accordance with Generally Accepted\nGovernment Auditing Standards (\xe2\x80\x9cGAGAS\xe2\x80\x9d). Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objectives. We believe that\nthe evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objectives.\n\nThis audit did not constitute an audit of financial statements in accordance with\nGAGAS. BDO was not engaged to, and did not render an opinion on Ex-Im Bank\xe2\x80\x99s\nfinancial statements or internal controls over financial reporting or over financial\nmanagement systems. The information included in this report was obtained from Ex-Im\nBank on or before September 20, 2011. We have no obligations to update our report or\nto revise the information contained therein to reflect events and transactions occurring\nsubsequent to September 20, 2011.\n\n\n\nSincerely,\n\x0c                                                              AUDIT OF INFORMATION TECHNOLOGY\n                                                       SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\n\n\n                                              TABLE OF CONTENTS\n\n\nEXECUTIVE SUMMARY ...................................................................................................... i\n\xc2\xa0\nBACKGROUND ...................................................................................................................1\n\xc2\xa0\nOBJECTIVE ......................................................................................................................... 3\n\xc2\xa0\nSCOPE AND METHODOLOGY ........................................................................................... 3\n\xc2\xa0\nAUDIT RESULTS................................................................................................................. 5\n\xc2\xa0\nA \xe2\x80\x93 BUSINESS OPERATIONS ................................................................................................... 6\n\xc2\xa0\n     A.1 Key IT Applications are Inefficient and Incapable of Capturing Certain Data, \n\n     Automating Workflow Procedures and Integrating Data. ............................................... 7\n\xc2\xa0\n     Recommendations ......................................................................................................... 8\n\n\n     A.2 Participant Information Is Not Always Timely and Completely Captured.............. 11\n\xc2\xa0\n     Recommendations ....................................................................................................... 12\n\n\nB \xe2\x80\x93 INFORMATION TECHNOLOGY........................................................................................... 15\n\xc2\xa0\n     B.1 Strategic Planning Process Does Not Address Current and Future Needs.......... 15\n\xc2\xa0\n     Recommendation ......................................................................................................... 16\n\n\n     B.2 IT Budget and Spending Practices Do Not Provide Adequate Data for Investment\n\n     Oversight...................................................................................................................... 17\n\xc2\xa0\n     Recommendations ....................................................................................................... 19\n\n\n     B.3 Ex-Im\xe2\x80\x99s Systems Development Life Cycle and Program Change Management \n\n     Processes Are Not Consistently Followed. .................................................................. 21\n\xc2\xa0\n     Recommendation ......................................................................................................... 22\n\n\nAPPENDIX A \xe2\x80\x93 BUSINESS OPERATION FLOWCHARTS ............................................................. 23\n\xc2\xa0\nAPPENDIX B \xe2\x80\x93 ACRONYMS.................................................................................................... 28 \n\nAPPENDIX C \xe2\x80\x93 MANAGEMENT\xe2\x80\x99S RESPONSE ........................................................................... 29\n\xc2\xa0\n\x0c                                                 AUDIT OF INFORMATION TECHNOLOGY\n                                          SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\n\nEXECUTIVE SUMMARY\nBDO USA, LLP (\xe2\x80\x9cBDO\xe2\x80\x9d) conducted an audit of the information technology (\xe2\x80\x9cIT\xe2\x80\x9d) support for\nExport-Import Bank of the United States (\xe2\x80\x9cEx-Im Bank\xe2\x80\x9d or \xe2\x80\x9cEx-Im\xe2\x80\x9d) mission. This audit was\nperformed under Assignment # EXIM-11-P-0043 issued by the Office of Inspector General\n(\xe2\x80\x9cOIG\xe2\x80\x9d).\nIn conjunction with this evaluation, the objective of this audit was to determine whether Ex-Im\nBank is minimizing the cost and maximizing the usefulness of its key IT systems to meet Ex-Im\nBank\xe2\x80\x99s mission. The specific audit objectives were to:\n   1. \t Identify key data and procedures used by Ex-Im Bank to process and monitor its loan,\n        guarantee, and insurance products, as well as loan default and guarantee and insurance\n        claims.\n   2. \t Identify interoperability of Ex-Im Bank\xe2\x80\x99s four critical IT systems: Ex-Im General Support\n        System, the Financial and Administrative System, EXIM Online, and the Oracle General\n        Support System.\n   3. \t Determine whether Ex-Im Bank\xe2\x80\x99s IT systems provide useful information to effectively and\n        efficiently process and monitor activity.\n   4. \tIdentify effectiveness of IT applications and systems as they relate to Ex-Im Bank\xe2\x80\x99s\n        operating mission.\n   5. \tIdentify annual expenditures on IT systems and determine the amounts applied to\n        maintain and improve its systems.\n\nOur audit work revealed that, while the business operations at Ex-Im Bank are functioning and\ntransactions are being processed, the IT systems are not supporting these operations efficiently\nand effectively. Overall, Ex-Im Bank IT systems and databases do not always capture and\nmanage all necessary data for business needs and antiquated IT applications cause workflow\ninefficiencies. For instance, Ex-Im Bank\xe2\x80\x99s Application Processing System, which is in the\nFinancial and Administrative System and was developed decades ago, cannot handle certain\nunderwriting data necessary for a transaction or capture necessary information related to certain\ntransportation deals. In addition, because not all applications for Ex-Im products are\nelectronically accepted and/or processed in a centralized database, and because Ex-Im Bank\xe2\x80\x99s\nIT systems are not integrated, certain key data has to be manually entered into different Ex-Im\nBank systems and transaction records hard copied to complete workflow processing task(s).\nBecause of these issues, data integrity is at risk, resources are not efficiently used, and data\ngathering and reporting are burdensome and time consuming. In sum, the present IT\napplication infrastructure makes it difficult for Ex-Im Bank to provide timely service, effectively\nmanage and track its programs, measure progress, and increase productivity.\n\nFurthermore, Ex-Im Bank does not have practices to effectively manage its strategic planning,\nIT spending, and the System Development Life Cycle ("SDLC\xe2\x80\x9d) and Program Change\nManagement (\xe2\x80\x9cPCM\xe2\x80\x9d) process. The audit found that: the Office of the Chief Financial Officer\ndoes not have sufficient detailed information on the amount of IT spending versus planned and\nthe specific purpose for each expenditure; the Strategic Plan was not formally approved and is\nnot sufficiently comprehensive to coordinate and manage initiatives; and the SDLC and PCM\nprocesses are not consistently followed. Failure to have strong internal controls in these areas\nprevents management from determining and monitoring the best use of funds to improve IT\nsupport of Ex-Im Bank\xe2\x80\x99s mission.\n\n\n\n\n                                          Page i\n\x0c                                               AUDIT OF INFORMATION TECHNOLOGY\n                                        SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nEven though all findings have some relation to IT systems, they are all not the direct\nresponsibility of the IT department due to their pervasive nature. While we have identified\neleven specific recommendations for the findings included in the above areas, our overall\nrecommendation is for the business operations and IT teams to each designate a champion(s)\nthat understands their respective needs and technical capabilities and work together to develop\nan integrated IT application systems to ensure that business is conducted effectively and\nefficiently to support Ex-Im Bank\xe2\x80\x99s mission.\n\n\n\n\n                                         Page ii\n\x0c                                                      AUDIT OF INFORMATION TECHNOLOGY\n                                               SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\n\nBACKGROUND\nExport Import Bank of the United States (\xe2\x80\x9cEx-Im Bank\xe2\x80\x9d or \xe2\x80\x9cEx-Im\xe2\x80\x9d) is an independent executive\nagency and a wholly owned United States (\xe2\x80\x9cU.S.\xe2\x80\x9d) government corporation. Ex-Im Bank is the\nofficial export credit agency of the U.S. Its mission is to support U.S. exports by providing\nexport financing through its loan, guarantee, and insurance programs in cases (1) where the\nprivate sector is unable or unwilling to provide financing, or (2) when such support is necessary\nto level the playing field due to financing provided by foreign governments to exporters in\ncompetition for U.S. export sales. By facilitating the financing of U.S. exports, Ex-Im Bank helps\ncompanies create and maintain U.S. jobs. Ex-Im Bank has provided financing support for\nexport sales in over 150 markets throughout the world. Ex-Im Bank\xe2\x80\x99s charter requires\nreasonable assurance of repayment for the transactions it authorizes and the Ex-Im Bank\nclosely monitors credit and other risks in its portfolio.\n\nEx-Im Bank\xe2\x80\x99s Charter requires Ex-Im Bank to develop and \xe2\x80\x9cimplement an electronic system\ndesigned to track all pending transactions\xe2\x80\x9d and to establish and maintain a website through\nwhich Bank products may be applied for and to obtain information regarding the status of\napplications.1    As described below, Ex-Im Bank\xe2\x80\x99s uses four mission critical information\ntechnology (\xe2\x80\x9cIT\xe2\x80\x9d) systems to conduct business operations.\n\n     I. \t      Ex-Im General Support System (\xe2\x80\x9cGSS\xe2\x80\x9d) \xe2\x80\x93 GSS is the underlying network which all Ex-\n               Im employees utilize when they connect to the shared drives and also browse the Ex-\n               Im network to access various applications and networked resources.\n     II. \t     Ex-Im Online (\xe2\x80\x9cEOL\xe2\x80\x9d) \xe2\x80\x93 EOL is a web-based infrastructure that allows users\n               (exporters, importers) to log into Ex-Im\xe2\x80\x99s system to submit information electronically\n               and check on export/import records. EOL is used to capture the initial application\n               data, track documents, and route the workflow. It was originally only intended to meet\n               the needs of the insurance business for short-term products. As of the audit, the EOL\n               system supports the following Ex-Im products: short-term single-buyer insurance;\n               medium-term insurance; short-term multi-buyer insurance; loan guarantees (up to\n               $10MM); financial institution buyer credit insurance; foreign dealer insurance; letter of\n               credit insurance for banks; and express insurance. All other applications for Ex-Im\n               products must be completed by filling out applications forms and submitting them by\n               email, fax, or mail.\n     III. \t    Financial and Administrative System (\xe2\x80\x9cF&AS\xe2\x80\x9d) \xe2\x80\x94 F&AS is a distributed based\n               environment that hosts five financial-related minor applications. The minor\n               applications are:\n\n                    \xe2\x80\xa2 \t Application Processing System (\xe2\x80\x9cAPS\xe2\x80\x9d) \xe2\x80\x93 APS processes loans from the\n                        initial customer contact to application receipt, underwriting evaluation, and\n                        when applicable, underwriting approval.\n\n                    \xe2\x80\xa2 \t Standard General Ledger (\xe2\x80\x9cLG/A\xe2\x80\x9d) \xe2\x80\x93 LG/A is Ex-Im\xe2\x80\x99s accounting system and\n                        standard general ledger. The application also processes loans, guarantees,\n                        and insurance policies from authorization through final disbursement.\n\n\n1\n    12 U.S.C. \xc2\xa7\xc2\xa7 635(b)(1)(J) and (2)(h).\n\n\n\n                                               Page 1\n\x0c                                                           AUDIT OF INFORMATION TECHNOLOGY\n                                                    SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\n                  \xe2\x80\xa2 \t Claims and Recovered Debt Servicing System (\xe2\x80\x9cCARDS\xe2\x80\x9d) \xe2\x80\x93 CARDS is used\n                      to process claims from receipt to closure. This includes the evaluation of the\n                      submitted claim for liability, the issuance of payments for valid claims and the\n                      collection of money from third parties. CARDS encompass five subsystems:\n                      Claims Entry, Claim Assignment and Evaluation, Claim Payment, Recovery\n                      Management, and Recovery and Expenses Allocation.\n\n                  \xe2\x80\xa2 \t The Rescheduled Debt Servicing System (\xe2\x80\x9cRLOANS\xe2\x80\x9d) \xe2\x80\x93 RLOANS is pertinent\n                      for the restructuring and processing of reschedule debt. In the event that a\n                      debtor country cannot repay a debt (e.g., in a situation where the debtor\n                      country cannot convert local currency to dollars due to the exchange rate),\n                      the Paris Club2 meets to determine a new schedule for repayment through\n                      restructuring of public and private sector debts. RLOANS processes the\n                      restructured loan details, standardizes billing, and facilitates the payments of\n                      recovered amounts.\n\n                  \xe2\x80\xa2 \t The Administrative Accounting Activity (\xe2\x80\x9cAAA\xe2\x80\x9d) \xe2\x80\x93 AAA processes all\n                      administrative expense transactions, including budget fund control for each\n                      appropriation. AAA processes purchase orders, invoices, travel (including\n                      sponsored travel), and employee debt. The application also reports on\n                      administrative expense activity and stores contact data for vendors who\n                      receive payments from Ex-Im Bank.\n\n    IV. \t     Oracle General Support System (\xe2\x80\x9cOracle GSS\xe2\x80\x9d) \xe2\x80\x93 Oracle GSS is an Oracle database\n              management system which includes the tools Enterprise Manager, Oracle Business\n              Intelligence Suite, Application Express, and Oracle Enterprise Performance\n              Management System (\xe2\x80\x9cHyperion\xe2\x80\x9d). The purpose of this environment is to perform\n              basic data management capabilities to support Ex-Im applications and data\n              warehouse.\n\nTo support its mission, the Bank\xe2\x80\x99s network infrastructure consists largely of networking devices\nwith various servers running different operating system platforms. The networks are protected\nfrom external threats by a range of IT security devices including firewalls, intrusion detection\nand prevention, antivirus, and spam filtering systems.\n\nThe IT environment noted above was evaluated in support of the following significant business\noperations processes and work streams:\n\n     \xef\x82\xb7      Medium-Term and Long-Term Loan and Guarantee Applications; \n\n     \xef\x82\xb7      Working Capital Guarantees;\n\n     \xef\x82\xb7      Medium-Term Insurance and Guarantees;\n\n     \xef\x82\xb7      Letter of Interest Applications;\n\n     \xef\x82\xb7      Application, Participant 3, and Policy Reviews via EOL;\n\n     \xef\x82\xb7      Single-and Multi-Buyer Insurance;\n\n     \xef\x82\xb7      Medium-Term Insurance and Guarantees / Long-Term Transactions;\n\n\n2\n \xc2\xa0 The Paris Club is an informal group of financial officials from 19 of the world\'s biggest economies, which provides\nfinancial services such as funding, debt restructuring, debt relief, and debt cancellation to indebted countries and their\ncreditors\xc2\xa0\n3\n  A \xe2\x80\x9cParticipant\xe2\x80\x9d is anyone involved in the transaction such as the applicant, lender, exporter, supplier, guarantor, etc.\n\n\n\n                                                    Page 2\n\x0c                                                AUDIT OF INFORMATION TECHNOLOGY\n                                         SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\n   \xef\x82\xb7   Participant Verification;\n\n   \xef\x82\xb7   Transportation Billing and Underwriting; and \n\n   \xef\x82\xb7   Claims. \n\n\n\nOBJECTIVE\nThe objective of this audit was to determine whether Ex-Im Bank is minimizing the cost and\nmaximizing the usefulness of its key IT systems to meet Ex-Im Bank\xe2\x80\x99s mission. The specific\naudit objectives were to:\n\n   \xef\x82\xb7\t Identify key data and procedures used by Ex-Im Bank to process and monitor its loan,\n      guarantee, and insurance products, as well as loan default and guarantee and insurance\n      claims.\n   \xef\x82\xb7 Identify interoperability of Ex-Im Bank\xe2\x80\x99s four critical IT systems: GSS, F&AS, EOL, and\n      Oracle GSS.\n   \xef\x82\xb7 Determine whether Ex-Im Bank\xe2\x80\x99s IT systems provide useful information to effectively and\n      efficiently process and monitor activity.\n   \xef\x82\xb7 Identify effectiveness of IT applications and systems as they relate to Ex-Im Bank\xe2\x80\x99s\n      operating mission.\n   \xef\x82\xb7 Identify annual expenditures on IT systems and determine the amounts applied to\n      maintain and improve its systems.\n\n\nSCOPE AND METHODOLOGY\nThe scope of the audit focused on whether Ex-Im Bank IT systems are able to effectively and\nefficiently support Ex-Im Bank\xe2\x80\x99s mission.\n\nOur audit procedures to support the specific audit objectives were performed with various\nsubject matter experts within the business operations and IT teams. Testing procedures\nincluded a mix of inquiries of appropriate personnel, inspection of relevant documentation, and\nobservation of the operations. In addition, where necessary, samples were selected to validate\nthe effectiveness of selected controls and procedures. Samples sizes utilized were aligned with\nthose required by Generally Accepted Government Auditing Standards (\xe2\x80\x9cGAGAS\xe2\x80\x9d). A listing of\nacronyms used in this report is included in Appendix B.\n\nSpecifically, we met with subject matter experts from the IT System Engineering, IT Security &\nSystem Assurance, and Information Management & Technology in the Office of the Chief\nInformation Officer (\xe2\x80\x9cOCIO\xe2\x80\x9d), including the Chief Information Officer (\xe2\x80\x9cCIO\xe2\x80\x9d). We also met with\nsubject matter experts in Operations and Data Quality, Trade Finance, Transportation Portfolio\nManagement, Export Finance, Claims and Recoveries, Credit Review and Compliance Division,\nOffice of the Chief Financial Officer, and the Office of General Counsel.\n\n\n\n\n                                         Page 3\n\x0c                                              AUDIT OF INFORMATION TECHNOLOGY\n                                       SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nAs a part of our audit procedures, we documented the transaction flow of the below selected\nbusiness operations processes and work streams. These flow charts are included in Appendix\nA.\n\n   \xef\x82\xb7   Short-Term, Single-Buyer, Multi-Buyer, Medium-Term Insurance and Medium-Term\n       Guarantees;\n   \xef\x82\xb7   Medium-Term, Long-Term and Working Capital Guarantees, and Long-Term Insurance;\n   \xef\x82\xb7   Transportation Underwriting and Transportation Billing; and\n   \xef\x82\xb7   Claims Processing.\n\nWe analyzed data and documentation obtained from Ex-Im Bank subject matter experts, as well\nas other information available, such as Ex-Im Bank policies and procedures and other\nauthoritative guidance.\n\nWe conducted our audit procedures from April 11, 2011 through September 20, 2011.\n\nWe conducted this performance audit in accordance with GAGAS. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We believe\nthat the evidence obtained provides a reasonable basis for our findings and conclusion based\non our audit objectives.\n\n\n\n\n                                       Page 4\n\x0c                                                AUDIT OF INFORMATION TECHNOLOGY\n                                         SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nAUDIT RESULTS\nOur audit work revealed that, while the business operations at Ex-Im Bank are functioning and\ntransactions are being processed, the IT systems are not supporting these operations efficiently\nand effectively. Overall, Ex-Im Bank IT systems and databases do not always capture and\nmanage all necessary data for business needs and antiquated IT applications cause workflow\ninefficiencies. For instance, Ex-Im Bank\xe2\x80\x99s APS, which is in the F&AS and was developed\ndecades ago, cannot handle certain underwriting data necessary for a transaction or capture\nnecessary information related to certain transportation deals. In addition, because not all\napplications for Ex-Im products are electronically accepted and/or processed in a centralized\ndatabase and because Ex-Im Bank\xe2\x80\x99s IT systems are not integrated, certain key data has to be\nmanually entered into other Ex-Im Bank systems and transaction records hard copied to\ncomplete the respective department\xe2\x80\x99s processing task(s). Because of these issues data\nintegrity is at risk, resources are not efficiently used, and data gathering and reporting are\nburdensome and time consuming. In sum, the present IT systems makes it difficult for Ex-Im\nBank to provide timely service, effectively manage and track its programs, measure progress,\nand increase productivity.\n\nFurthermore, Ex-Im Bank does not have practices to effectively manage its strategic planning,\nIT spending, and the System Development Life Cycle (\xe2\x80\x9cSDLC\xe2\x80\x9d) and Program Change\nManagement (\xe2\x80\x9cPCM\xe2\x80\x9d). The audit found that: the Office of the Chief Financial Officer does not\nhave sufficient detailed information on the amount of IT spending versus plans and the specific\npurpose for each expenditure; the Strategic Plan was not formally approved and is not\nsufficiently comprehensive to coordinate and manage initiatives; and the SDLC and PCM\nprocesses are not consistently followed. Failure to have strong controls in these areas prevents\nmanagement from determining and monitoring the best use of funds to improve IT support of\nEx-Im Bank\xe2\x80\x99s mission.\n\nEven though all findings we identified have some relation to IT systems, they are all not the\ndirect responsibility of the IT department due to their pervasive nature. The identified findings\nare provided below and further discussion on each finding is presented in the remaining portion\nof this report.\n\nA-   Business Operations\n     A.1 \t Key IT Applications are Inefficient and Incapable of Capturing Certain Data,\n             Automating Workflow Procedures and Integrating Data.\n     A.2     Participant Information Is Not Always Timely and Completely Captured.\nB-   Information Technology\n     B.1 \t   Strategic Planning Process Does Not Address Current and Future Needs.\n     B.2 \t   IT Budget and Spending Practices Do Not Provide Adequate Data for Investment\n             Oversight.\n     B.3 \t Ex-Im\xe2\x80\x99s Systems Development Life Cycle and Program Change Management\n             Processes Are Not Consistently Followed.\n\n\n\n\n                                         Page 5\n\x0c                                                   AUDIT OF INFORMATION TECHNOLOGY\n                                            SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\n\nA \xe2\x80\x93 BUSINESS OPERATIONS\n\nEx-Im Bank\xe2\x80\x99s IT systems do not fully support its operations and reporting function because IT\nsystems are not integrated and participant data is not effectively and efficiently processed. Data\nis manually keyed into multiple systems, working files are duplicated by offices for their\nrespective processing, and manual tasks are performed to complete business processes. Also,\nparticipant data, which is data related to anyone involved in a transaction such as the applicant,\nlender, exporter, supplier, guarantor, etc., is not timely and fully captured. While business\noperations at Ex-Im Bank are functioning and transactions are being processed, Ex-Im Bank\xe2\x80\x99s\ncurrent IT systems inhibit Ex-Im\xe2\x80\x99s ability to provide timely service, effectively manage and track\nits programs, measure progress, identify transaction patterns, and increase productivity.\nFurther details on workflow and participant data are presented below.\n\nEx-Im Bank\xe2\x80\x99s Charter requires Ex-Im Bank to develop and \xe2\x80\x9cimplement an electronic system\ndesigned to track all pending transactions\xe2\x80\x9d and to establish and maintain a website through\nwhich Bank products may be applied for and to obtain information regarding the status of\napplications.4 Office of Management and Budget (\xe2\x80\x9cOMB\xe2\x80\x9d) Circular A-130, Management of\nFederal Information Resources, Appendix III, Security of Federal Automated Information\nResources (Revised, Transmittal Memorandum No. 4, 11/28/2000), states: \xe2\x80\x9cAgencies must\nimplement the Enterprise Architecture consistent with following principles:\n\n       \xef\x82\xb7\t Develop information systems that facilitate interoperability, application portability, and\n          scalability of electronic applications across networks of heterogeneous hardware,\n          software, and telecommunications platforms;\xe2\x80\x9d\n\n       \xef\x82\xb7\t (iii) Applications -- Agencies must identify, define, and organize the activities that\n          capture, manipulate, and manage the business information to support business\n          processes.\xe2\x80\x9d\n\nWhile Ex-Im Bank is not required to follow OMB\xe2\x80\x99s Circular A-123, Management\xe2\x80\x99s Responsibility\nfor Internal Control, this circular provides guidance on sound management practices for\nachieving Ex-Im Bank\xe2\x80\x99s mission. Circular A-123 states \xe2\x80\x9cManagement controls are the\norganization, policies, and procedures used to reasonably ensure that (i) programs achieve their\nintended results; (ii) resources are used consistent with agency mission; (iii) programs and\nresources are protected from waste, fraud, and mismanagement; (iv) laws and regulations are\nfollowed; and (v) reliable and timely information is obtained, maintained, reported and used for\ndecision making.\xe2\x80\x9d\n\nCircular A-123 directs agencies to \xe2\x80\x9c \xe2\x80\xa6 take systematic and proactive measures to (i) develop\nand implement appropriate, cost-effective management controls for results-oriented\nmanagement; (ii) assess the adequacy of management controls in Federal programs and\noperations; (iii) identify needed improvements; (iv) take corresponding corrective action; and (v)\nreport annually on management controls.\xe2\x80\x9d\n\n\n\n\n4\n    12 U.S.C. \xc2\xa7\xc2\xa7 635(b)(1)(J) and (2)(h).\n\n                                            Page 6\n\x0c                                                         AUDIT OF INFORMATION TECHNOLOGY\n                                                  SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nA.1 Key IT Applications are Inefficient and Incapable of Capturing Certain\nData, Automating Workflow Procedures and Integrating Data.\nEx-Im Bank\xe2\x80\x99s APS does not have the ability to fully support business processes and products as\nthey have evolved over time. This system was developed decades ago and no longer meets\nEx-Im Bank operational needs. Moreover, EOL only handles limited products online. During\nour review, we noted inefficiencies such as manually re-keying participant data into multiple Ex-\nIm Bank systems, researching incomplete data (see participant data finding A.2), and searching\nfor and printing of documents relevant to the transaction. Other workflow inefficiencies are\ndetailed below. While we identified no significant errors as a result of these inefficiencies, it was\nnoted that automation of the processes could improve workflow effectiveness and efficiency and\nprovide management with timely and useful information. Furthermore, records automation\nwould reduce potential fraud by ensuring all documents related to one customer are linked.\n\n    \xef\x82\xb7\t Applications for long-term guarantee and loans cannot be submitted online and must be\n       submitted through mail, e-mail or fax. These applications are then manually keyed into\n       the APS and multiple paper copies of the files are then printed and sent to various\n       departments for processing and manual keying of additional data. Manually keying data\n       is an inefficient use of time and also results in the increased risk of incorrect data entry.\n\n    \xef\x82\xb7\t Transportation underwriting data is not captured in APS. The key control in the\n       underwriting approval process is the preparation of the Credit Analysis Memo, which is\n       presented to the Board. This Memo documents the history of the borrower, Ex-Im\n       Bank\xe2\x80\x99s current relationship with the borrower, the economic conditions of the borrower,\n       and the borrower\xe2\x80\x99s ability to repay the note, among other things. APS was not designed\n       as an underwriting system. APS was designed as a transaction-based system only and\n       therefore does not have the ability to support retaining underwriting documents.\n\n    \xef\x82\xb7\t APS was not designed for the uniqueness and complexity of transportation financing.5\n       For the airline industry, for example, APS is unable to capture the level of detail\n       necessary for the processing of each component of the deal when many components\n       make up a deal. For example, one airline deal could include many aircrafts, different\n       amount of co-financing per aircraft, and different co-financing parties per aircraft. Due to\n       the size and complexity of the aircraft deals, the limited information available for each\n       component is both inefficient and results in billing inefficiencies.\n\n    \xef\x82\xb7\t Not all relevant data is transferred between APS, the LG/A system, and the Standard\n       General Ledger system in a timely manner. During our procedures, we noted that the\n       APS and LG/A interface transfers the U.S. portion of the deal first, while the non-U.S.\n       denominated terms are transferred at a later date and that transfers between component\n       tranches in APS require manual adjustment in LG/A. LG/A does not have the capability\n       to process certain transactions in foreign currency. LG/A has difficulty calculating billing\n       in U.S. dollars on a foreign currency tranche. Thus, the Loan and Guarantee Servicing\n       Division manually generates a bill in Microsoft Word. Manual bills require additional\n       processing time (approximately four to six hours) and, due to the amount of detail,\n       require a number of manual reviews and edits. Once finalized, the Loan and Guarantee\n       Servicing Division updates the invoice details in LG/A. With these manual changes,\n\n5\n As of September 30, 2011, the air transportation sector represented 48.2% of Ex-Im Bank\xe2\x80\x99s total exposure, i.e., the\nauthorized outstanding and undisbursed principal balance of loans, guarantees, and insurance.\n\n                                                  Page 7\n\x0c                                               AUDIT OF INFORMATION TECHNOLOGY\n                                        SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\n       inconsistencies can develop between APS and LG/A. The inefficiency becomes cyclical,\n       resulting in errors in future bills that require manual adjustment.\n\n   \xef\x82\xb7\t There is no formal policy surrounding working file document management. Currently\n      files are kept either manually, electronically or both. The lack of an Ex-Im Bank working\n      file document management policy results in some departments copying documents for\n      their own files to perform the department\xe2\x80\x99s objectives. Because of this practice,\n      employees must spend additional time to locate all associated documents (e.g., original,\n      working, approved, final version, etc.) to complete the transaction processing. Also, the\n      Inspector General\xe2\x80\x99s office must extend extraordinary efforts in identifying and gathering\n      all documents associated to a potential case under investigation.\n\n   \xef\x82\xb7\t Transaction Status is not easily apparent in reports generated in Ex-Im Bank Reporting\n      System (\xe2\x80\x9cERS\xe2\x80\x9d). A transaction classified as \xe2\x80\x9ctroubled\xe2\x80\x9d could mean it has had a claim\n      filed or could be related to late payments. A \xe2\x80\x9cclosed\xe2\x80\x9d classification could actually mean\n      paid in full or withdrawn. A user must drill down to determine the exact definition.\n\n   \xef\x82\xb7\t Only one designated individual in the Asset Management Division has the knowledge\n      and skill to generate reports on claims. This individual will generate a report from\n      several different data sources, depending on the requested information.\n\n   \xef\x82\xb7\t Numerous databases are independently maintained by Ex-Im staff (i.e., in Microsoft\n      Access and Excel) and are not managed by the OCIO.\n\n   \xef\x82\xb7\t Key documents are difficult to merge for the Department of Justice\xe2\x80\x99s use in processing\n      potential fraud cases due to files being password protected.\n\n\nRecommendations\n\nWe recommend that the Executive Vice President and Chief Operating Officer:\n\n   1. \tHave the business owners individually and in aggregate reevaluate their business\n       requirements and minimum relevant data necessary to process transactions involving\n       complex structures and to monitor business operations. They should then work with the\n       Office of Information Technology to initiate, develop, and test an integrated application\n       that is aligned with those needs and in support of Ex-Im Bank\xe2\x80\x99s mission.\n\n   2. \t Develop a formal working file document management policy. In developing the formal\n        policy, Ex-Im Bank should additionally a) educate Ex-Im Bank employees to ensure they\n        understand the need to share consistent information across departments; b) establish\n        the means to retain and share working file documents; c) store the policy in a readily\n        accessible medium; and d) implement a mechanism to monitor compliance to the formal\n        policy.\n\n\n\n\n                                        Page 8\n\x0c                                                AUDIT OF INFORMATION TECHNOLOGY\n                                         SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nManagement\xe2\x80\x99s Response\n\nRecommendation 1:\n\nWe agree with the recommendation. The Ex-Im Bank has kicked off the first in a series of\nprocessing system projects that are being funded from the IT Investment fund recently made\navailable. The various project plans, including the Participant Hub, Working Capital automation,\nand Forms consolidation, all start with a detailed and thorough review of business requirements\nand strategic direction with the business owners. The project plans then establish a Business\nStakeholders Steering Committee and a pool of identified business users who will test and\nreview any application development. The Business Stakeholders Steering Committee will have\nfinal say on business requirements and on determining whether or not system proposals meet\nthose requirements.\n\nIn particular, one of the business operations with extremely complicated structures,\nTransportation Finance, has begun a streamlining/LEAN exercise. This project is targeted to be\ncompleted Summer 2012. As staff has acknowledged that the current processing system is a\nmill-stone around their neck, one of the final products to be developed will be a detailed set of\nsystem requirements that support the new business process. These system requirements will\nbe used in the project plan for "automating" Transportation Finance.\n\nAuditor Comment:\n\nWhen accomplished, the above action should satisfy this recommendation.\n\nRecommendation 2:\n\nWe agree with the recommendation. The Ex-Im Bank will develop a policy based on best\npractice in the Government. As more applications are handled online (e.g. insurance), the case\nfile is related attachments and artifacts are stored in the document management system used by\nEOL.\n\nThe "Working File" policy will be based on the following parameters:\n\nThe National Archives and Records Administration (NARA) define working files as: "rough notes,\ncalculations, or drafts assembled or created and used to prepare or analyze other documents\n(Also called working papers).\n\nWorking files are disposable once a document is finalized unless Working Files are Records.\nNARA\'s regulations (36. CFR 1222.34(c)) say that working files are records if:\n\n   1.\t They were circulated or made available to employees, other than the creator, for official\n       purposes such as approval, comment, action, recommendation, follow-up, or to\n       communicate with agency staff about agency business; and\n   2.\t They contain unique information, such as substantive annotations or comments included\n       therein, that adds to a proper understanding of the agency\'s formulation and execution of\n       basic policies, decisions, actions, or responsibilities.\n\nStaff will be provided training to determine which documents in their possession need to be filed\nand retained as records, and which documents can be safely recycled or destroyed.\n\n                                         Page 9\n\x0c                                           AUDIT OF INFORMATION TECHNOLOGY\n                                    SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nAuditor Comment:\n\nManagement should also develop a compliance monitoring process. When accomplished, the\nabove action should satisfy this recommendation.\n\n\n\n\n                                    Page 10\n\x0c                                                  AUDIT OF INFORMATION TECHNOLOGY\n                                           SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nA.2 Participant Information Is Not Always Timely and Completely Captured.\nAPS and EOL, designed for the processing of loan, guarantee, and insurance products, cannot\nprovide a complete view of participant activity due to difficulty in linking or highlighting duplicate\nparticipant data. These weaknesses result in employees researching missing data, difficulty in\nobtaining accurate and timely reports surrounding the Ex-Im Bank\xe2\x80\x99s operations, and preventing\nEx-Im Bank and the Office of Inspector General from efficiently conducting forensic analysis to\nidentify possible patterns in transactions.\n\nCertain transactions are processed even though there is missing documentation or information\nas Ex-Im Bank does not require a unique identifier to be used by participants when applying for\na loan guarantee, or insurance or in required reporting to Ex-Im Bank. The following specific\nitems were identified:\n\n   \xef\x82\xb7\t Returning participants cannot be automatically associated with their historical Ex-Im\n      Bank transactions. The Operations and Data Quality Division has been working towards\n      correcting this problem, but not all returning participants have been identified.\n\n   \xef\x82\xb7\t Not all required information, such as shipping address, Data Universal Numbering\n      System (\xe2\x80\x9cDUNS\xe2\x80\x9d) number, and phone numbers, is obtained and recorded in a timely\n      manner. The Operations and Data Quality Division contacts the participant to obtain this\n      information. However, participant information was missing back to August 2010 or nine\n      months past shipment date in some cases. As of May 5, 2011, this Division had 250\n      shipment reports that needed to be verified. As shipment reports could contain\n      numerous participants, the actual number of participants to be verified is likely larger\n      than 250.\n\n   \xef\x82\xb7\t Accurate reports are not easily available by participant due to incomplete or duplicate\n      participant data. Information on the following reports need to be manually tabulated to\n      achieve a comprehensive view of a participant:\n\n              o\t Transactions by geographic location or region;\n              o\t Transactions by industry; and\n              o\t Transactions by Ex-Im Bank\xe2\x80\x99s product and sub-product line, such as Working\n                 Capital Delegated Authority vs. Working Capital.\n\nManagement advised us that the unique identifier assigned to each participant upon the\nsubmission of an application is not communicated to participants for use on future transactions.\nManagement stated that using a unique identifier which may already exist for participants (i.e.,\nDUNS, tax identification, Social Security Number (\xe2\x80\x9cSSN\xe2\x80\x9d), etc.) is not always possible.\nManagement further stated that commonly used identifiers, noted above, may not exist across\ndomestic or international companies and companies may have multiple DUNS numbers for\nmultiple locations of their operations. Although personal identifiers are sometimes obtained\nduring a transaction, the information is not retained. For example, individual participant\xe2\x80\x99s data\nsuch as an SSN is not retained within the system. Management\xe2\x80\x99s rationale is that such data is\nnot retained due to security reasons and the amount of transactions involving individuals is\nsmall in comparison to the total operations of the business. Even though the last four digits\ncould be maintained, it would not be sufficient to properly link participants\xe2\x80\x99 information for key\nitems such as history and relationships.\n\n                                           Page 11\n\x0c                                                AUDIT OF INFORMATION TECHNOLOGY\n                                         SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nRequired fields for application processing need to be expanded or revised as current\nrequirements are not sufficient for Ex-Im Bank\xe2\x80\x99s needs. Existing participants can submit\nincomplete reporting without a delay in the transaction processing. For example, shipment\nreports are allowed to be submitted with required fields such as address populated with \xe2\x80\x9cTBD\xe2\x80\x9d\n(to be determined).\n\nEx-Im Bank does not have a centralized master data management policy and procedures to\nmanage participant data flow between its IT applications. The lack of complete and accurate\nparticipant data results in difficulty:\n\n   \xef\x82\xb7\t Capturing the necessary data for business owners to transact and monitor business\n      operations on its applications;\n\n   \xef\x82\xb7\t Promptly providing management with business information to support the business\n      process;\n\n   \xef\x82\xb7\t Efficiently using resources, as Ex-Im Bank has dedicated three employees to process\n      applications and reconcile more than 1,800 new participant records per month that are\n      created during the application process. Additionally, two employees spend 100% of their\n      time researching missing participant data and reconciling potential duplicate or related\n      participants in the 300,000 existing participant records already in Ex-Im Bank\xe2\x80\x99s systems;\n      and\n\n   \xef\x82\xb7\t Reducing its risk exposure to fraud, due to the limitations regarding the lack of a bank-\n      wide participant unique identifier and the subsequent difficulty in tracking transactions by\n      participant.\n\n\nRecommendations\n\nWe recommend that the Executive Vice President and Chief Operating Officer:\n\n   3. \tImplement a bank-wide unique identifier to ensure that all new participants can be\n       readily identified and returning participants are associated with their historical\n       transactions.\n\n   4. \t Have the business owners revise the required minimum participant data necessary to\n        process an application. Ex-Im Bank should only process applications that meet those\n        minimum criteria.\n\n   5. \tDevelop a formal data management policy and procedures to ensure complete and\n       accurate participant data is captured in Ex-Im Bank\xe2\x80\x99s centralized database and define\n       which information is required for reporting purposes. The policy and procedures should\n       include, as soon as possible, a clear definition and management of participant\n       identification so it can link participants to transactions.\n\n   6.\t Require that the formal data management policy and procedures be a) communicated to\n       appropriate Ex-Im Bank employees; b) reviewed annually, updated, and re-\n       communicated accordingly; and c) stored in a readily accessible medium.\n\n\n                                         Page 12\n\x0c                                                 AUDIT OF INFORMATION TECHNOLOGY\n                                          SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nManagement\xe2\x80\x99s Response\n\nRecommendation 3:\n\nWe agree with the recommendation. Ex-Im Bank has kicked off the first in a series of\nprocessing system projects that are being funded from the IT Investment fund recently made\navailable. One project which has already commenced is the Participant Hub project. One of the\nbusiness requirements that has already been identified is that there be a bank-wide unique\nidentifier to ensure that all new participants can be readily identified and returning participants\nare associated with their historical transactions. The Participant Hub project plan commenced\nin November 2011 and is projected to be fully implemented by January 2013. With\nimplementation of the Participant Hub, Ex-Im Bank will have a bank-wide unique identifier and\nprocesses to ensure that all new participants can be readily identified and returning participants\nare associated with their historical transactions.\n\nAuditor Comment:\n\nWhen accomplished, the above action should satisfy this recommendation.\n\nRecommendation 4:\n\nWe agree with the recommendation. Ex-Im Bank has kicked off the first in a series of\nprocessing system projects that are being funded from the IT Investment fund recently made\navailable. There are two projects moving hand-in-glove. They are the Participant Hub and\nForms Consolidation projects. As part of the business requirements process for each project,\nbusiness users are identifying the minimum required participant information for the Participant\nHub and the minimum required participant (and other) information for processing an application.\nThe Participant Hub project plan commenced in November 2011 and is projected to be fully\nimplemented by January 2013. Meanwhile, the Forms Consolidation project started December\n2011 and is projected to be implemented by March 2012.\n\nAuditor Comment:\n\nWhen accomplished, the above action should satisfy this recommendation.\n\nRecommendation 5:\n\nWe agree with the recommendation. Ex-Im Bank has kicked off the first in a series of\nprocessing system projects that are being funded from the IT Investment fund recently made\navailable. One project which has already commenced is the Participant Hub project. As part of\nthe business requirements process for the project, business users are identifying the\nappropriate policies and procedures that will need to be established to ensure complete and\naccurate data is captured and maintained in the Participant Hub and the connected transaction\nprocessing systems. The Participant Hub project plan commenced in November 2011 and is\nprojected to be fully implemented by January 2013.\n\nAuditor Comment:\n\nWhen accomplished, the above action should satisfy this recommendation.\n\n\n                                          Page 13\n\x0c                                                AUDIT OF INFORMATION TECHNOLOGY\n                                         SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nRecommendation 6:\n\nWe agree with the recommendation. One of the benefits that Ex-Im Bank hopes to achieve\nfrom its processing system projects is full documentation of policies and procedures that will be\nreadily accessible to business users and communicated to the business users. As the projects\nprogress, documentation will be developed and reviewed by the business users.\n\nAuditor Comment:\n\nWhen accomplished, the above actions should satisfy this recommendation.\n\n\n\n\n                                         Page 14\n\x0c                                                AUDIT OF INFORMATION TECHNOLOGY\n                                         SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nB \xe2\x80\x93 INFORMATION TECHNOLOGY\n\nEx-Im Bank does not have practices to effectively manage its strategic planning, IT spending,\nand the SDLC and PCM. The audit found that the Office of the Chief Financial Officer (\xe2\x80\x9cOCFO\xe2\x80\x9d)\ndoes not have sufficient detailed information on the amount of IT spending versus plans and the\nspecific purpose for each expenditure; the Strategic Plan was not formally approved and is not\nsufficiently comprehensive to coordinate and manage initiatives; and the SDLC and PCM\nprocesses are not consistently followed. Failure to have strong controls in these areas prevents\nmanagement from determining and monitoring the best use of funds to improve IT support of\nEx-Im Bank\xe2\x80\x99s mission.\n\n\nB.1 Strategic Planning Process Does Not Address Current and Future\nNeeds.\nEx-Im Bank does not have the necessary IT planning process in place to guide its efforts.\nAlthough Ex-Im Bank has an IT Strategic Plan covering fiscal years 2011 through 2014, the plan\nwas not formally approved and it is not sufficiently comprehensive to coordinate and manage\ninitiatives and projects. A comprehensive IT Strategic Plan would describe what Ex-Im Bank\nseeks to accomplish, identify the strategies it will use to achieve desired results, and provide\nresults-oriented goals and performance measures that permit it to determine whether it is\nsucceeding. Key items including Project Sponsorship, Project Timelines, Project Savings, and\nBusiness Drivers were not captured for major IT investment projects, and official approval of the\nIT Strategic Plan was not evident.\n\nAn approved comprehensive IT strategic plan, which is a foundation for effective modernization\nand is required by federal guidance, would provide Ex-Im Bank with the tool to serve as Ex-Im\nBank\xe2\x80\x99s IT vision or roadmap and help align its information resources with its business strategies\nand investment decisions. A comprehensive IT strategic plan identifies what an agency intends\nto accomplish \xe2\x80\x93 if funded - during a given period and helps ensure that the necessary\ninfrastructure is put in place for new or improved capabilities. In addition, a IT strategic plan\nwhich identifies interdependencies within and across individual IT systems modernization\nprojects helps ensure that the interdependencies are understood and managed, so that projects\nand systems are effectively integrated. The lack of a complete, accurate, and formally approved\nIT Strategic Plan can potentially result in misapplied funds to execute major IT development that\ndo not meet Ex-Im Bank\xe2\x80\x99s mission. As discussed above, this audit identified weaknesses in IT,\nwhich result in the lack of effective and efficient processing of Ex-Im Bank\xe2\x80\x99s business\nrequirements.\n\nCongress and OMB have recognized the importance of IT management controls. The Clinger-\nCohen Act, for example, provides a framework for effective IT management that includes\nsystems integration planning, human capital management, and investment management. In\naddition, the Paperwork Reduction Act requires that agencies have strategic plans for their\ninformation resource management, and the E-Government Act of 2002 contains provisions for\nimproving the skills of the federal workforce in using IT to deliver government information and\nservices. Further, OMB has issued guidance on integrated IT modernization planning and\neffective IT human capital and investment management.\n\nOMB Circular A-130 \xe2\x80\x93 Management of Federal Information Resources, Transmittal\nMemorandum No. 4 directs agencies to establish information system management oversight\n                                         Page 15\n\x0c                                                AUDIT OF INFORMATION TECHNOLOGY\n                                         SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nmechanisms that (a) ensure that each information system meets agency mission requirements;\n(b) provide for periodic review of information systems to determine (i) how mission requirements\nmight have changed, (ii) whether the information system continues to fulfill ongoing and\nanticipated mission requirements and (iii) what level of maintenance is needed to ensure the\ninformation system meets mission requirements cost effectively; and (c) ensure that the official\nwho administers a program supported by an information system is responsible and accountable\nfor the management of that information system throughout its life cycle.\n\nOMB Circular A-130 section 7.i., states that \xe2\x80\x9c\xe2\x80\xa6 the agency strategic plan will shape the\nredesign of work processes and guide the development and maintenance of an Enterprise\nArchitecture and a capital planning and investment control process. This management approach\npromotes the appropriate application of Federal information resources.\xe2\x80\x9d Section 7.9.b(1) states\n\xe2\x80\x9cAgencies must establish and maintain a capital planning and investment control process that\nlinks mission needs, information, and information technology in an effective and efficient\nmanner. The process will guide both strategic and operational IRM, IT planning, and the\nEnterprise Architecture by integrating the agency\'s IRM plans, strategic and performance plans\nprepared pursuant to the Government Performance and Results Act of 1993, financial\nmanagement plans prepared pursuant to the Chief Financial Officer Act of 1990 (31 U.S.C.\n902a5), acquisition under the Federal Acquisition Streamlining Act of 1994, and the agency\'s\nbudget formulation and execution processes. The capital planning and investment control\nprocess includes all stages of capital programming, including planning, budgeting, procurement,\nmanagement, and assessment.\xe2\x80\x9d\n\nAs of August 2011, OMB issued M-11-31 placing responsibility on the Chief Operating Officer to\nlead the agency\xe2\x80\x99s efforts to set priority goals; designate a senior official responsible for each\ngoal; and review progress quarterly to improve performance and reduce costs. OMB also\nissued in August 2011 M-11-29 placing responsibility on the CIO to be responsible and\naccountable for the operating efficiency of the agency.\n\n\nRecommendation\n\nWe recommend that the Executive Vice President and Chief Operating Officer and the Chief\nInformation Officer:\n\n   7. \tCollaborate to develop a formally approved robust process for creating a clear and\n       comprehensive IT Strategic Plan according to OMB requirements to effectively support\n       Ex-Im Bank\xe2\x80\x99s mission.\n\nManagement\xe2\x80\x99s Response\n\nWe agree with the recommendation. The Ex-Im Bank will adhere to using the Capital Planning\nand Investment Control (\xe2\x80\x9cCPIC\xe2\x80\x9d) process to identify investment initiatives and the COO will\nprovide timely goals and objectives. The CIO will develop plans and Cost Benefit Analysis and\nalternatives and develop a detail IT strategic plan and seek timely approval of plans and funds\nthem for the effective execution of the IT strategic plan.\n\nAuditor Comment:\n\nWhen accomplished, the above action should satisfy this recommendation.\n\n\n                                         Page 16\n\x0c                                                AUDIT OF INFORMATION TECHNOLOGY\n                                         SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nB.2 IT Budget and Spending Practices Do Not Provide Adequate Data for\nInvestment Oversight.\nEx-Im Bank has a budget process in place, but improvements are needed to report actual\nversus planned IT spending and manage IT investments. For fiscal year 2010, the total IT\nbudget excluding personnel expenses was $13,485,081.68. However, the actual IT spending\ndata provided by the Treasurer was $13,537,177.53 (as of May 2011) whereas the official\nrecord in AAA reported $13,475,531.55 (as of June 2011). This difference occurred due to AAA\nsystem limitations, which does not capture plans versus expenditures and does not provide\ndetailed IT expenditure information for OCFO personnel to perform proper review. Furthermore,\nthe official approved budget for IT contained $0 for enhancements, but we noted spending items\nwhich may be related to enhancements for critical systems rather than maintenance and\noperations. While Ex-Im Bank has an executive review board to approve new projects, it does\nnot have a policy to include a formal and robust process to track, review, and monitor the actual\nIT spending versus plans at the detail level. Without strong management and accountability in\nselecting and overseeing IT investments, Ex-Im Bank is exposed to the risk that projects will not\nimprove IT support as originally planned.\n\nAlthough significant IT work has been performed over the last several years, Ex-Im Bank\xe2\x80\x99s\nInformation Technology Executive Review Board (\xe2\x80\x9cITERB\xe2\x80\x9d), which is made up of senior\nexecutives excluding the CIO, has not submitted a request to OMB for an investment since\n2008. The ITERB is responsible to approve or preliminarily approve the investment pursuant to\na full-blown cost-benefit analysis. Once the ITERB approves an investment, the CIO works with\nthe Budget Officer to conduct a budget analysis and determine sources of funding for the\ninvestment. The ITERB prioritizes the investment against other investments in the Ex-Im Bank\nIT portfolio. While these actions are positive, the ITERB does not track cost and schedule\nvariances to ensure the project will produce the intended results at minimum costs.\n\nThe CIO stated that requests for enhancements have not been submitted to the ITERB because\nthe OCIO has not received additional funds the last three years; thus all IT work has been for\nmaintenance and sustainment. However, we identified potential expenditure of fiscal year 2010\nIT funds used for enhancements, such as the deployment of new products such as Insurance\nExpress, Supply Chain Facility, and Reinsurance. We estimate that 11% ($1.5M) of expenses of\nthe approved IT budget are enhancements and should not just be classified as sustainment.\n\nIn conclusion, our review of IT spending found that funds were not accurately categorized\naccording to OMB CIRCULAR A\xe2\x80\x9311 Section 53 \xe2\x80\x93 Information Technology and E-Government.\nSection 53 provides guidance to allow the agency and OMB to review and evaluate each\nagency\'s IT spending. This section defines the amount being spent on development and\nmodernization of IT versus the amount being spent on operating and maintaining the status quo\nfor IT as follows:\n\n   \xef\x82\xb7\t Development/Modernization/Enhancement means the program cost for new\n      investments, changes or modifications to existing systems to improve capability or\n      performance, changes mandated by the Congress or agency leadership, personnel\n      costs for investment management, and direct support.\n\n\n\n\n                                         Page 17\n\x0c                                                AUDIT OF INFORMATION TECHNOLOGY\n                                         SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\n   \xef\x82\xb7\t Steady State means maintenance and operation costs at current capability and\n      performance level including costs for personnel, maintenance of existing information\n      systems, corrective software maintenance, voice and data communications\n      maintenance, and replacement of broken IT equipment.\n\nBy not properly categorizing IT spending, the ITERB had not been provided with critical\nbusiness user and cost information to prioritize the investment against other investments in the\nEx-Im IT portfolio. Also, the ITERB lost the opportunity to be informed on the status and\nusefulness of IT investments because it had no policy or procedures to monitor and improve\nproject planning and execution.\n\nRecognizing that OMB M-11-29, Chief Information Officer Authorities, is not applicable to the\nitems noted above because it was issued on August 8, 2011, this directive is relevant to our\nrecommendation to improve managing IT investments. This memorandum identifies the need to\nshift the primary responsibilities of the federal CIO, "away from just policy making and\ninfrastructure maintenance, to encompass true portfolio management for all IT." The memo\nstates the following:\n\n       Agency CIOs must be positioned with these responsibilities and authorities to improve\n       the operating efficiency of their agencies. In addition to their statutory responsibilities\n       through the Clinger-Cohen Act and related laws, under the IT Reform Plan there are four\n       main areas in which Agency CIOs shall have a lead role:\n\n           1. \t Governance. CIOs must drive the investment review process for IT investments\n                and have responsibility over the entire IT portfolio for an Agency.\n           2. C \t ommodity IT. Agency CIOs must focus on eliminating duplication and\n                rationalize their agency\'s IT investments. CIOs must show a preference for using\n                shared services as a provider or consumer instead of standing up separate\n                independent services.\n           3. \t Program Management. Agency CIOs shall improve the overall management of\n                large Federal IT projects by identifying, recruiting, and hiring top IT program\n                management talent. CIOs will be held accountable for the performance of IT\n                program managers based on their governance process and the IT Dashboard.\n           4. \t Information Security. CIOs, or senior agency officials reporting to the CIO, shall\n                have the authority and primary responsibility to implement an agency-wide\n                information security program and to provide information security for both the\n                information collected and maintained by the agency, or on behalf of the agency,\n                and for the information systems that support the operations, assets, and mission\n                of the agency.\n\nWith responsibilities for these four areas, Agency CIOs will be held accountable for lowering\noperational costs, terminating and turning around troubled projects, and delivering meaningful\nfunctionality at a faster rate while enhancing the security of information systems. These\nadditional authorities will enable CIOs to reduce the number of wasteful duplicative systems,\nsimplify services for the American people, and deliver more effective IT to support their agency\'s\nmission.\n\n\n\n\n                                         Page 18\n\x0c                                              AUDIT OF INFORMATION TECHNOLOGY\n                                       SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nRecommendations\n\nWe recommend that the Executive Vice President and Chief Operating Officer and the Chief\nInformation Officer:\n\n   8. \tClassify requested and authorized IT funds according to OMB\xe2\x80\x99s CIRCULAR A\xe2\x80\x9311\n       definitions on the development and modernization of IT versus the amount being spent\n       on operating and maintaining the status quo for IT.\n\n   9. \tEnhance or replace the AAA system or develop an IT system to provide current\n       information on actual versus planned IT spending to ensure the proper management of\n       IT operation and maintenance spending and investments.\n\nWe recommend that the Executive Vice President and Chief Operating Officer:\n\n   10. Formally direct the CIO on the implementation of the new requirements prescribed in\n       OMB\xe2\x80\x99s M-11-29, Chief Information Officer Authorities.\n\nManagement\xe2\x80\x99s Response\n\nRecommendation 8:\n\nWe agree with the recommendation. The Ex-Im Bank doubled its authorizations since 2008\n(more transactions, more disbursements, more documents, more data base support, etc.). This\nincrease of ongoing support and related transactions are NOT status quo. They are operations\nand maintenance (\xe2\x80\x9cO&M\xe2\x80\x9d) and "sustain engineering". The Ex-Im Bank uses "Sustain\nEngineering" for ongoing required maintenance, refresh, and small enhancements for systems.\nThe Ex-Im Bank uses the term "Investment" for major system or programmatic changes (It\nshould be noted that the low end enhancements in OMB are around $5 million dollars). That\nsame definition and approach is used across the Government, especially by small agencies.\n\nThe Ex-Im Bank will make budget estimates and distinction between "Fixes" and "Change\nRequests" in the development cycles to capture these differences. Ex-Im Bank will continue to\nuse the Government-wide use of the context of the Exhibit 53 and intent of circular A-11 for\nlarge investments. Ex-Im Bank will ensure the Executive Working Group (\xe2\x80\x9cEWG\xe2\x80\x9d) is involved\nand monitor the "sustain engineering" tasks as well as the major investments used as part of\nthe Exhibit 53.\n\nAuditor Comment:\n\nWhen accomplished, the above action should satisfy this recommendation.\n\n\n\n\n                                       Page 19\n\x0c                                               AUDIT OF INFORMATION TECHNOLOGY\n                                        SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nRecommendation 9:\n\nWe agree with the recommendation. The CFO and CIO have established a team to evaluate the\nenhancement/replacement of AAA with a financial core (FMLOB) budgeting system. This\ninitiative is included in the OCIO strategic plan and includes a system capable of tracking\nplanning, obligation, and actual information.     Execution of this plan is dependent on\n"INVESTMENT" funding being made available for the initiative. Since 2008, this initiative was\nbeing evaluated for funding. Planning, requirement, and alternatives documentation was\nprepared. The next step is to update that documentation, attend demos, and seek budget and\nresources to pursue this goal.\n\nAuditor Comment:\n\nWhen accomplished, the above action should satisfy this recommendation.\n\nRecommendation 10:\n\nWe agree with the recommendation. A number of these guidance and objectives are already in\nplace. The Ex-Im Bank is a small agency and all of IT is managed by the OCIO.\n\nPlans are to be executed in the next 9 month to transfer email to the cloud. The continuity of\noperations (\xe2\x80\x9cCOOP\xe2\x80\x9d) capability is already deployed in the cloud and a web site service through\nthe cloud is being reviewed for security and cost effectiveness.\n\nLean and Agile development processes are going to be implemented as part of the investment\nfund execution that includes the \'Participant Hub, Working Capital automation, and Forms\nconsolidation.\n\nAuditor Comment:\n\nWhen accomplished, the above action should satisfy this recommendation.\n\n\n\n\n                                       Page 20\n\x0c                                                AUDIT OF INFORMATION TECHNOLOGY\n                                         SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nB.3 Ex-Im\xe2\x80\x99s Systems Development Life Cycle and Program Change\nManagement Processes Are Not Consistently Followed.\nEx-Im Bank has an SDLC, which includes a PCM process, in place. However, Ex-Im Bank\xe2\x80\x99s\nSDLC process was not consistently followed to implement the ERS system. The SDLC\nprovides a structured and standardized process for all phases of any system development\neffort, integration and testing, deployment and acceptance, and finally to system retirement. Ex-\nIm System Development Life Cycle Policy, Version 1.0, pages 11, 7 and 9, respectively state\nthe following:\n\n       \xe2\x80\x9cData management, configuration management, and quality assurance must be\n       considered throughout the system life cycle. The project manager will create and\n       maintain the SDLC deliverables \xe2\x80\xa6\xe2\x80\x9d\n\n       \xe2\x80\x9c\xe2\x80\xa6Manage IT projects as investments. Proposed Automated Information System (\xe2\x80\x9cAIS\xe2\x80\x9d)\n       or IT infrastructure projects must be supported by a business case that includes\n           \xef\x82\xa7 an analysis of the expected costs and benefits for a project\n           \xef\x82\xa7 alternative solutions considered\n           \xef\x82\xa7 potential programmatic and technical risks\n           \xef\x82\xa7 outcomes and performance measures: the overall contribution of the project to\n                Bank\xe2\x80\x99s missions, goals, and objectives\xe2\x80\xa6\xe2\x80\x9d\n\n       \xe2\x80\x9c\xe2\x80\xa6End-user participation and involvement throughout life cycle activities is crucial to the\n       success of each project. End-users must participate early in any AIS project in order to\n       obtain clear, validated functional requirements, and to provide user acceptance testing\xe2\x80\xa6\n       End-users must be provided with initial training to support a newly installed AIS or IT\n       infrastructure system and receive additional training necessary to effectively use system\n       modifications and enhancements\xe2\x80\xa6\xe2\x80\x9d\n\nWe identified the following findings:\n\n   \xef\x82\xb7\t No evidence was provided to show that master data management procedures are in\n      place to manage participant data flow from the EOL and F&AS to the ERS;\n\n   \xef\x82\xb7\t No evidence was provided to show that a Business Needs Analysis was performed for\n      the ERS implementation;\n\n   \xef\x82\xb7\t No evidence was provided to show that there was formal management approval of test\n      plans and the \xe2\x80\x9cGo-Live\xe2\x80\x9d decision for the ERS implementation; and\n\n   \xef\x82\xb7\t No actual training attendance records exist for the ERS implementation to evidence that\n      business users were adequately trained prior to implementation.\n\nAdditionally, Ex-Im Bank\xe2\x80\x99s PCM process \xe2\x80\x93 User Acceptance Testing (\xe2\x80\x9cUAT\xe2\x80\x9d) -- as directed in\nEx-Im System Development Life Cycle Policy, Version 1.0, Page 9, was not consistently\nfollowed to implement system changes to the EOL and FAS systems. We identified the\nfollowing finding:\n\n   \xef\x82\xb7\t No evidence was provided to show that UAT was performed in 100% of the change\n      requests to ensure that system changes were functioning properly or met the stated\n                                         Page 21\n\x0c                                               AUDIT OF INFORMATION TECHNOLOGY\n                                        SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\n       business requirements for modifications to critical application functionality for EOL and\n       F&AS.\n\nWithout consistent adherence to Ex-Im\xe2\x80\x99s SDLC, including the PCM process, new systems or\nmodification to existing systems may negatively impact business users\xe2\x80\x99 needs and result in the\nineffective and inefficient use of technology in support of Ex-Im\xe2\x80\x99s mission.\n\nRecommendation\n\nWe recommend that the Executive Vice President and Chief Operating Officer and the Chief\nInformation Officer:\n\n   11. Ensure Ex-Im Bank\xe2\x80\x99s SDLC process is consistently followed when implementing major\n       systems and performing system changes.\n\nManagement\xe2\x80\x99s Response\n\nWe agree with the recommendation. In addition, the Ex-Im Bank is planning to use the Lean\n"Agile Development Methodology" to replace its existing heavy structured SDLC processes to\nensure "delivering meaningful functionality at a faster rate while enhancing the security of\ninformation systems. These additional authorities will enable ClOs to reduce the number of\nwasteful duplicative systems, simplify services for the American people, and deliver more\neffective IT to support their agency\'s mission"\n\nLean Agile principles "promote a development lifecycle that includes frequent inspections with\nsmall incremental tasks; supports collaboration and self-organization; and encourages the fast\ndelivery of high-quality software." Lean Agile development principles include:\n\n          o   Individuals and interactions over processes and tools.\n          o   Working software over comprehensive documentation.\n          o   Customer collaboration over contract negotiation.\n          o   Responding to change over following a plan\n\nAuditor Comment:\n\nWhen accomplished, the above action should satisfy this recommendation.\n\n\n\n\n                                        Page 22\n\x0c                                             AUDIT OF INFORMATION TECHNOLOGY\n                                      SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nAPPENDIX A \xe2\x80\x93 BUSINESS OPERATION FLOWCHARTS\n\nAs a part of our audit procedures, we documented the transaction flow of selected business\noperations processes and work streams including the following:\n\n          \xef\x82\xb7   Short-Term, Single-Buyer, Multi-Buyer, Medium-Term Insurance and Medium-\n              Term Guarantees;\n          \xef\x82\xb7   Medium-Term, Long-Term and Working Capital Guarantees, and Long-Term\n              Insurance;\n          \xef\x82\xb7   Transportation Underwriting and Transportation Billing; and\n          \xef\x82\xb7   Claims Processing.\n\n\n\n\n                                      Page 23\n\x0c                                                                                        AUDIT OF INFORMATION TECHNOLOGY\n                                                               SUPPORT                 FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n                     Products:\xc2\xa0Short\xc2\xa0Term\xc2\xa0Insurance,\xc2\xa0Single\xc2\xa0Buyer\xc2\xa0Insurance,\xc2\xa0Multi\xe2\x80\x90Buyer\xc2\xa0Insurance,\xc2\xa0Medium\xc2\xa0Term\xc2\xa0Insurance\xc2\xa0and\xc2\xa0Medium\xc2\xa0Term\xc2\xa0Guarantees\xc2\xa0\n                             Operations\xc2\xa0&\xc2\xa0Data\xc2\xa0Quality                                                                         Processing\xc2\xa0/\xc2\xa0Underwriting\n                              Application:\xc2\xa0EXIM\xc2\xa0On\xc2\xa0Line                                                                        Application:\xc2\xa0EXIM\xc2\xa0Online\n\n\n\n  Prospective\n                                                                                                                         EXIM\xc2\xa0Online\n\n\n\nEnter\xc2\xa0 borrower\xc2\xa0\n      info                                                                                                               UW\xc2\xa0reviews\xc2\xa0\n                                                                                                                          in\xc2\xa0EXIM                Underwriting\xc2\xa0can\xc2\xa0include\xc2\xa0any\xc2\xa0\n                                                                                                                           Online                number\xc2\xa0of\xc2\xa0EXIM\xc2\xa0divisions\xc2\xa0to\xc2\xa0\n                                                                                                                                                 assess\xc2\xa0&\xc2\xa0price the\xc2\xa0risk.\n    Internet\n                                                                                                                                                 Additional\xc2\xa0contact\xc2\xa0with\xc2\xa0the\xc2\xa0\n                                                                                                                                                 prospective\xc2\xa0insured\xc2\xa0proceeds,\xc2\xa0\n                                                                                                                                                 as\xc2\xa0necessary.\n                                                                                                                        Underwriting\n                                                                                                                          process\n\n   EXIM\xc2\xa0Online\n\n\n\n\n                                                                                                                                               No\n                                                                                                                      Approved?                              End\n\n   Suitable\xc2\xa0for\xc2\xa0               No          T o\xc2\xa0APS\n      EOL?\n                                                                                                                                  Yes\n\n\n           Yes                                                                                                     Enter approval\xc2\xa0in\xc2\xa0\n                                                                                                                    EXIM\xc2\xa0Online\xc2\xa0&\xc2\xa0\n                                                                                                                  Prepare UW\xc2\xa0Memo\n   Operations\xc2\xa0 &\xc2\xa0\n   Data\xc2\xa0Quality\xc2\xa0\n     reviews\xc2\xa0\n\n                                                                                                                      Undwriting\xc2\xa0Memo\n\n\n\n\n    Complete\xc2\xa0 &\n              \xc2\xa0                No\n                                           Prospective\n   Appropriate?\n                                                                                                                            Store\n                                                                                                                         Underwiritnng\xc2\xa0\n                                                                                                                         Memo\xc2\xa0in\xc2\xa0EOL\n\n\n\n\n       When                           Requested docs                                                                 Update EXIM\xc2\xa0Online\xc2\xa0\n     complete,\xc2\xa0                          (may\xc2\xa0be\xc2\xa0                                                                      with\xc2\xa0UW\xc2\xa0terms\n    update\xc2\xa0EOL                          electronic)\n\n\n\n\n                                                                                                                         EXIM\xc2\xa0Online\nUpdate EXIM\xc2\xa0Online\n\n\n\n\n                                                                                                                        Prepare\xc2\xa0Policy\n      Store all\xc2\xa0\n  supporting\xc2\xa0docs\xc2\xa0 in\n                    \xc2\xa0\n        EOL\n\n\n                                                                                                                        Opeations\xc2\xa0&\xc2\xa0\n                                                                                                                        Data\xc2\xa0Quality\xc2\xa0\n                                                                                                                          reviews\xc2\xa0\n\n    EXIM\xc2\xa0Online\n\n\n                                                                                                                            Policy\n                                                                                                                     (electronic\xc2\xa0format)\n    EOL\xc2\xa0routes\xc2\xa0to\xc2\xa0\n     processing\xc2\xa0\n   (underwriting)\n\n\n                                                                                                                           Insured\n\n\n\n\n                                                                                     Page\xc2\xa024\xc2\xa0\n\x0c                                                                                                                          AUDIT OF INFORMATION TECHNOLOGY\n                                                                                       SUPPORT                           FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\n\n\n\n                                                                    Products: Mid Term Guarantees, Long Term Insurance, Long Term Guarantees & Working Capital\n                          Operations & Data Quality                                                                            Processing (Underwriting)                                                 Legal\n                              Application: APS                                                                                     Application: APS                                                 Application: APS\n\n                                                                                                                                                  Underwriting can include any\n           Prospective                                                                                                                            number of EXIM divisions to assess\n                                                                                                        Application                               & price the risk.\n                               Submission can                                                                                                                                           Update APS with UW\n                                                                                                        Documents\n                                be mail, fax &                                                                                                                                         terms, conditions, etc.\n                                   email.                                                                                                         Additional contact with the\n                                                                                                                                                  prospective insured proceeds, as\n                                                      From EXIM                                                                                   necessary.\n            Application\n                                                        Online\n                                                                                                       Underwriting\n                                                                                                         process                                                                                APS\n\n\n\n\n                                                                                                    Update APS with UW\n                                Search for                                                         terms, conditions, etc.                                                                  Print loan /\n                               participant in                                                                                                                                              product docs\n                                    APS\n\n\n                                                                                                            APS\n\n                                                                                                                                                                                             Loan Docs\n\n            No                    Existing                Yes                                           Prepare UW\n                                participant?                                                             Memo for\n                                                                                                       Board review\n\n                                                            Link new\n                                                          transaction                                                                                                                     To Legal Dept for\nCreate new participant                                     to existing                               Prepare Credit UW                                                                    docs preparation\n                                                          participant                                     Memo\n\n\n\n\n                                                                                                      Board review to\n                                                                                                                                                                                          Signed and Final\n                                                                                                       approve / not\n                            Enter applicaiton into                                                                                                                                           Agreement\n                                                                                                         approve\n                                    APS\n\n\n\n\n                                                                                                                              Yes\n                                                                                                         Approved?                                                                             Insured\n                                    APS\n\n\n\n\n                                                                                                                   No\n                                  Organize                                                                   End\n                                 submitted\n                                  docs and\n                                route to UW\n\n\n\n\n                              Application\n                              Docments\n\n\n\n\n                                                                                                      Page\xc2\xa02\xcf\xb1\xc2\xa0\n\x0c                                                                                                 AUDIT OF INFORMATION TECHNOLOGY\n                                                                           SUPPORT              FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\n\n                                   Transportation Underwriting                                                             Transportation Billing\n                Application: APS                                 Application: None Noted                                     Application: LG/A\n\n\n\n   Completed and\n     Approved                                                     To Legal Dept for                      LG/A\n                                                                  docs preparation\n\n\n\n\n    Underwriting\n      process                                                      Signed and Final                      Print\n                                                                      Agreement\n\n\n\n\n Update APS with UW                                                      File\nterms, conditions, etc.                                                                                                                             Includes, but is not limited to, a\n                                                                                                        Invoice                                     review of the following:\n                                                                                                                                                    1.) Compenents\n                                                                                                                                                    2.) Roll over of tranches\n                                                                                                                                                    3.) Price fees\n         APS\n\n                                                                                                    Manually review\n                                                                                                      invoice for\n                                                                                                      correction\n     Prepare UW\n    Memfor Board\n       review\n\n\n                                                                                                                      No\n  Prepare Credit UW                                                                                   Approved?                Manually adjust invoice\n       Memo                                                                                                                          in LG / A\n\n\n\n   Board review to\n    approve / not\n      approve                                                                                         Customer\n                                                                                                        End\n\n\n\n                             No\n      Approved?                      E\n\n\n\n\n Update APS with UW\nterms, conditions, etc.\n\n\n                                   Print loan /\n          APS                       product\n                                      docs\n\n\n\n        Nightly\n                                   Loan Docs\n       interface\n       with LG/A\n\n\n\n\n                                                                                      Page\xc2\xa026\n\x0c                                                                                                             AUDIT OF INFORMATION TECHNOLOGY\n                                                                                SUPPORT                     FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\n                                                                                             Claims Processing\n                                                                                            Application: CARDS\n Front Desk                       Claims Officer                           Contractor          Managing Director (Richard Brackley)                             Office of the CFO\n                                                                                                                                           Approval            Cash Disbursements    Cash Receipt\n   Insured\n                                                                                                              A\n                                                                          Contractor                                                                               B                      D\n                       Claims Officer                                 assesses coverages\n  EXIM Loss      C        assigns a                                    & develops initia\n    Form                 Contractor                                      loss estimate\n                                                                                                                                      No                                                Cash\n                                                                                            No                                                               Review Memo\n                                                                                                          Approve?                         Approve?                                    Rece pts\n                                                                                                                                                             for Approva s\n Entered nto\n   CARDS                   CARDS                                          Entered nto                             Yes                                 Yes\n                                                                            CARDS             C                                        C\n                                                                                                                                                               Compare              Enter into LG/A\n                                                                                                          Approve                           Approve          approved pmts\n   CARDS                                                                                                   Memo                              Memo               to LG/A\n                     Assess Contractor s\n                        assessment.\n                      Approve / Ad ust                                   Entered via                                                                                                     LG / A\n                        as necessary                                       remote                          Claims                            Claims\nBased on claim                                                                                             Memo                              Memo                LG / A\ntype route to\nClaims Officer\n                        Entered nto                                                                                                                                                   Prepare 122P\n                          CARDS                                                                                                                                                     list ng unapplied\n                                                                                                                                                            Disburse funds via         cash receipts\n                                                                                                         Addit ona                                          Treasury s Secure\n                                                                                                         approva s                                           Payment System\n                            CARDS                                                                        necessary?\n\n                                                                                                                                                                                         122P\n                                                                                                                                                                Claimant\n                           CARDS is\n                          configured\n                         for approva                                                                          B\n                                                                                                                                                                                      Program Mgt\n                          authorities.                                                                                                                                              Assistants rev ew\n                                                                                                                                                                                    claims and apply\n\n                         Each night\n                        CARDS sends\n                         claims data                      LG/A\n                                                                                                                                                                                         LG / A\n                           to LG/A\n\n\n\n                      Prepare Claims                                                                                                                                                       End\n                      Memo for claims\n                         payment\n                        process ng\n\n\n                           Claims\n                           Memo\n\n\n\n\n                         Addit ona                 Yes\n                         approva s                            A\n                         necessary?\n\n\n\n                                   No\n\n                              B\n\n\n\n\n                                                                         Contractor\n                     For approved claims\n                                                                     assesses coverages\n                       begin collection\n                                                                      & develops initia\n                           efforts\n                                                                        loss estimate\n\n\n\n\n                     Assign a collection                                Entered nto\n                          agency                                          CARDS\n\n\n\n\n                                                                  Entered via\n                          CARDS                                     remote\n\n\n\n                         CARDS is\n                        configured\n                       for approva\n                       authorities.\n\n\n\n                        Each night\n                       CARDS sends\n                        claims data                      LG/A\n                          to LG/A\n\n                                                          D\n\n\n\n\n                                                                                           Page\xc2\xa027\n\x0c                                        AUDIT OF INFORMATION TECHNOLOGY\n                                 SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nAPPENDIX B \xe2\x80\x93 ACRONYMS\n\nAAA                   Administrative Account Application\nAIS                   Automated Information System\nAPS                   Application Processing System\nBDO                   BDO USA, LLP\nCARDS                 Claims and Recovered Debt Servicing System\nCIO                   Chief Information Officer\nCOOP                  Continuity of Operations\nCPIC                  Capital Planning and Investment Control\nDUNS                  Data Universal Numbering System\nEOL                   EXIM Online\nERS                   Ex-Im Bank Reporting System\nEWG                   Executive Working Group\nEx-Im Bank or Ex-Im   Export-Import Bank of the United States\nF&AS                  Financial and Administrative System\nGAGAS                 Generally Accepted Government Auditing Standards\nGSS                   Infrastructure General Support System\nIIS                   Integrated Information System\nIT                    Information Technology\nITERB                 Information Technology Review Board\nLG/A                  Loan and Guarantee Accounting System\nO&M                   Operations and Maintenance\nOCFO                  Office of the Chief Financial Officer\nOCIO                  Office of the Chief Information Officer\nOIG                   Office of Inspector General\nOMB                   Office of Management and Budget\nOracle GSS            Oracle General Support System\nPCM                   Program Change Management\nRLOANS                Rescheduled Debt Servicing System\nSDLC                  Systems Development Life Cycle\nSSN                   Social Security Number\nUAT                   User Acceptance Testing\nU.S.                  United States\n\n\n\n\n                                 Page 28\n\x0c                                   AUDIT OF INFORMATION TECHNOLOGY\n                            SUPPORT FOR EXPORT-IMPORT BANK\xe2\x80\x99S MISSION\n\nAPPENDIX C \xe2\x80\x93 MANAGEMENT\xe2\x80\x99S RESPONSE\n\n\n\n\n\n                          SEE NEXT PAGE\n\n\n\n\n\n                            Page 29\n\x0c                                          /          \\         \n\n\n                                                   1\n\n                                   EXPORT-IMPORT BANK\n                                     OF THE UNITED STATES\n\n\n                                       January 13th, 2012\n\n\nMr. Osvaldo L. Gratacos\nInspector General\nOffice of the Inspector General\nExport-Import Bank of the United States\n811 Vermont Avenue NW\nWashington, DC 20571\n\n\nDear Inspector General Gratacos,\n\nThank you for providing Ex-Im Bank management with the Office of the Inspector General\n(OIG)\'s Audit of IT Support for Ex-Im Bank\'s Mission.\n\nBank management concurs with all of your office\'s findings. Please find detailed responses to\neach OIG recommendation from the Bank\'s Chief Information Officer and its Vice President for\nData Quality and Operations attached to this letter.\n\nThe Bank has embarked on a series of system improvement projects to address many the issues\nthe Report identifies. In particular, we would like to draw your attention to three ongoing IT\nprojects which began in November and December 2011\xe2\x80\x94immediately after FY2011 funding\nwas made available by Congress and OMB and properly obligated. The Participant Hub project,\nwhich will be fully implemented by January 2013, will create a bank-wide, unique identifier for\neach participant, resolving many of the data management concerns that you highlight. In\naddition, the Bank has embarked on a Forms Consolidation project to evaluate the minimum data\nnecessary for a transaction and align documentation accordingly. The initial phase of this project\n(conducted on a subset of forms) should be completed by May 2012. Finally, our Working\nCapital Automation project will further reduce unnecessary or duplicative processes. As you\nsuggest in your report, the relevant business owners will be deeply involved all three of these\nprojects through a Business Stakeholders User Committee.\n\nRegarding your recommendation on the AAA financial systems, we would direct your attention\nto a team that the OCFO and OCIO already have in place to evaluate replacement of AAA with a\ncore financial budgeting system. The team has already completed planning, requirement\nspecifications, and alternatives analysis for the project. Implementation of these plans has been\ncontingent on availability of funding since 2008. With newly available funding in the Bank\'s\nFY2012 appropriations language, moving forward with this project is one of our highest\npriorities.\n\n\n\n\n                        811 VERMONT AVENUE, N.W WASHINGTON, D.C. 20571\n\x0cWhile we agree with all the OIG\'s recommendations, we would also like to express a difference\nof opinion with the report\'s definition of funds expended on "status quo" IT operations and\nmanagement versus IT "development and investment". As our CIO explains in her response, the\nBank\'s unprecedented increase in workload since 2008 is not a "status quo" operations and\nmanagement situation. Rather, the Bank defines its IT efforts to cope with the extraordinary\ngrowth as a program of "sustain engineering." Sustain engineering includes ongoing required\nmaintenance, system refreshes, and small enhancements as needed. The Bank considers\n"investment" to be a major and programmatic change, in line with the OMB definitions.\nHowever, the Bank will include a distinction in budget estimates between "Fixes" and "Change\nRequests" in future development cycles in order to better capture these differences.\n\nFinally, we are pleased to inform the OIG that since Congress has made incremental funding\navailable for IT the Bank has engaged independent consultants from the MITRE Corporation to\nhelp guide us through our IT investment and modernization process. We hope that as our\nconsultations with MITRE progress, we can resolve many of the underlying IT and systems\nissues that you identify.\n\nThank you again for the OIG\'s efforts to improve Ex-Im Bank\'s IT infrastructure and to ensure\nthat the Bank\'s systems and policies are aligned with its mission. We appreciate your hard work\nand input and look forward to continuing to work closely with the OIG.\n\n\n\n                                            Sincerely,\n\n\n\n\n                                            Alice P. Albright, CFA\n                                            Chief Operating Officer &T3xecutive Vice President\n                                            Export-Import Bank of the United States\n\n\nCC:\t Fred P. Hochberg\n     Chairman & President\n     Export-Import Bank of the United States\n\n     Mike Cushing\n     Senior Vice President for Resource Management\n     Export-Import Bank of the United States\n\x0c                                   EXPORT-IMPORT BANK\n                                    of the UNITED STATES\n\n\n\nDecember 23, 2011 \n\n\nMEMORANDUM \n\n\nTo:             Jean Smith\n                Assistant Inspector General for Audit\n\nFrom:           Fernanda Young\n                Chief Information Officer\n\n\nSubject:        Audit of Information Technology Support for Export-Import Bank\'s Mission\n                (OIG-xx-11-xx, December 16,2011 (Revision) - Response to\n                recommendations.\n\n\n       We appreciate your providing us with an opportunity to review a draft of the report and\nthe cooperation and subsequent reviews of the document with your auditors.\n\n       With regard to your memorandum of November 25, 2011, and the revision of the draft\ndocument dated December 16, 2011, following are management\'s response to the six\nrecommendations from the BDO USA, LLP ("BDO") report provided during their audit of the\nInformation Technology Support for Export-Import Bank\'s Mission. Management responses to\nrecommendations 2, 7-11 are included in this letter.\n\n         In addition to the specific audit objectives described in page / of the BDO report, the\nauditor did perform a number of core IT audit tasks and IT security controls of the IT systems.\nThe core infrastructure IT capabilities of the Ex-Im Bank are solid and effective. In FY 2011, Ex-\nIm Bank a) enhanced its security posture and oversight for its handling of sensitive information;\nb) performed annual reviews of IT policies and procedures; c) performed a network and public\nfacing application penetration testing with no major or minor vulnerability findings; d) exercised\nits continuity of operations plan including participation in Eagle Horizon 10 and disaster recovery\ntesting for its major applications and e) implemented a large number of infrastructure refresh\ntasks. During that same period, a large number of business applications sustain engineering\ntasks were implemented through five major mission critical releases of the Financial and\nAdministrative Systems (F&A) and the EXIM Online (EOL) public facing system.\n\n       Management agrees with the recommendations described in the BDO report. The Bank\nhas submitted requests for funding to upgrade its old custom designed (1990-type) applications\nsystems and will continue to enhance and improve on its processes and using technology as a\n\x0cresource multiplying strategy for supporting the expanding mission of the Ex-Im Bank supporting\nthe National Export Initiative (NEI).\n\n         The following letter addresses the recommendations 2 and 7 to 11.\n\n\nRecommendation 2\n\n\nWe recommend that the Executive Vice President and Chief Operating Officer:\n\n         2) Develop a formal working file document management policy. In developing the\n            formal policy, Ex-Im Bank should additionally a) educate Ex-Im Bank employees to\n             ensure they understand the need to share consistent information across\n             departments; b) establish the means to retain and share working file documents; c)\n            store the policy in a readily accessible medium; and d) implement a mechanism to\n            monitor compliance to the forma I policy.\n\n\nManagement Response - AGREE\nWe agree with the recommendation- The Ex-Im Bank will develop a policy based on best practice\nin the Government. As more applications are handled online (e.g. insurance), the case file is\nrelated attachments and artifacts are stored in the document management system used by EOL.\n\nThe "Working File" policy will be based on the following parameters:\n\n The National Archives and Records Administration (NARA) define working files as: "rough notes,\ncalculations, or drafts assembled or created and used to prepare or analyze other documents\n(Also called working papers).\n\nWorking files are disposable once a document is finalized unless Working Files are Records.\n\nNARA\'s regulations (36. CFR 1222.34(c)) say that working files are records if:\n\n\n    1.   They were circulated or made available to employees, other than the creator, for official\n         purposes such as approval, comment, action, recommendation, follow-up, or to\n         communicate with agency staff about agency business; and\n\n\n   2.    They contain unique information, such as substantive annotations or comments included\n         therein, that adds to a proper understanding of the agency\'s formulation and execution\n         of basic policies, decisions, actions, or responsibilities.\n\x0cStaff will be provided training to determine which documents in their possession need to be filed\nand retained as records, and which documents can be safely recycled or destroyed\n\nRecommendation 7\n\n\nWe recommend that the Executive Vice President and Chief Operating Officer and the Chief\nInformation Officer:\n\n        3) Collaborate to develop a formally approved robust process for creating a clear and\n           comprehensive IT Strategic Plan according to OMB requirements to effectively\n           support Ex-Im Bank\'s mission.\n\n\nManagement Response - AGREE\nWe agree with this recommendation. The Ex-Im Bank will adhere to using the Capital Planning\nand Investment Control (CPIC) process to identify investment initiatives and the COO will provide\ntimely goals and objectives. The CIO will develop plans and Cost Benefit Analysis and\nalternatives and develop a detail IT strategic plan and seek timely approval of plans and funds\nthem for the effective execution of the IT strategic plan.\n\nRecommendation 8, 9,10\n\n\nWe recommend that the Executive Vice President and Chief Operating Officer and the Chief\nInformation Officer:\n\n        8) Classify requested and authorized IT funds according to OMB\'s CIRCULAR A-ll\n           definitions on the development and modernization of IT versus the amount being\n           spent on operating and maintaining the status quo for IT.\n\n        9) Enhance or replace the AAA system or develop an IT system to provide current\n           information on actual versus planned IT spending to ensure the proper management\n           of IT operation and maintenance spending and investments.\n\n\n\nWe recommend that the Executive Vice President and Chief Operating Officer:\n\n        10) Formally direct the CIO on the implementation of the new requirements prescribed in\n            OMB\'s M-ll-29, Chief Information Officer Authorities.\n\n\nManagement Response - AGREE\n\n\nManagement Response 8- We agree with the recommendation. The Ex-Im Bank doubled its\nauthorizations since 2008 (more transactions, more disbursements, more documents, more data\nbase support, etc.). This increase of ongoing support and related transactions are NOT Status\nquo. They are O&M and "sustain engineering". The Ex-Im Bank uses "Sustain Engineering" for\n\x0congoing required maintenance, refresh and small enhancements for systems. The Ex-Im Bank\nuses the term "Investment" for Major system or programmatic changes (It should be noted that\nthe low end enhancements in OMB are around $5 million dollars). That same definition and\napproach is used across the Government, especially by small agencies.\n\nThe Ex-Im Bank will make budget estimates and distinction between "Fixes" and "Change\nRequests" in the development cycles to capture these differences. The Bank will continue to use\nthe Government-wide use of the context of the Exhibit 53 and intent of circular A-ll for large\ninvestments. The Bank will ensure the EWG is involved and monitor the "sustain engineering"\ntasks as well as the major investments used as part of the Exhibit 53.\n\nManagement Response 9- We agree with the recommendation- The CFO and CIO have\nestablished a team to evaluate the enhancement/replacement of AAA with a financial core\n(FMLOB) budgeting system. This initiative is included in the OCIO strategic plan and includes a\nsystem capable of tracking planning, obligation, and actual information. Execution of this plan is\ndependent on "INVESTMENT" funding being made available for the initiative. Since 2008, this\ninitiative was being evaluated for funding. Planning, requirement, and alternatives\ndocumentation was prepared. The next step is to update that documentation, attend demos,\nand seek budget and resources to pursue this goal.\n\nManagement Response 10- We agree with the recommendation- A number of these guidance\nand objectives are already in place. The Ex-Im Bank is a small agency and all of IT is managed by\nthe OCIO.\n\nPlans are to be executed in the next 9 month to transfer email to the cloud. The COOP capability\nis already deployed in the cloud and a web site service through the cloud is being reviewed for\nsecurity and cost effectiveness.\n\n Lean and Agile development processes are going to be implemented as part of the investment\nfund execution that includes the \'Participant Hub, Working Capital automation, and Forms\n consolidation).\n\nRecommendation 11\n\nWe recommend that the Executive Vice President and Chief Operating Officer and the Chief\nInformation Officer:\n\n        11) Ensure Ex-Im Bank\'s SDLC process is consistently followed when implementing major\n            systems and performing system changes.\n\n\nManagement Response - AGREE\nWe agree with the recommendation. In addition, the Ex-Im Bank is planning to use the Lean\n"Agile Development Methodology" to replace its existing heavy structured SDLC processes to\nensure "delivering meaningful functionality at a faster rate while enhancing the security of\ninformation systems. These additional authorities will enable ClOs to reduce the number of\n\x0cwasteful duplicative systems, simplify services for the American people, and deliver more\neffective IT to support their agency\'s mission"\n\nLean Agile principles "promote a development lifecycle that includes frequent inspections with\nsmall incremental tasks; supports collaboration and self-organization; and encourages the fast\ndelivery of high-quality software." Lean Agile development principles include:\n\n                Individuals and interactions over processes and tools\n                Working software over comprehensive documentation\n                Customer collaboration over contract negotiation\n                Responding to change over following a plan\n\n\n\n\ncc:\t   Osvaldo Gratacos, Inspector General\n       Alice Albright, Chief Operating Officer\n       Michael Cushing, Senior Vice President, Resource Management\n       David Sena, Acting Chief Financial Officer and Audit Liaison\n       Patricia Wolf, Financial Reporting Supervisor\n       John Lowry, Director, Information Technology Security and System Assurance\n\x0c                                    EXPORT-IMPORT BANK\n                                     of the UNITED STATES\n\n\nJanuary 10, 2012 \n\n\nMEMORANDUM \n\n\nTo:               Jean Smith\n                  Assistant Inspector General for Audit\n\nFrom:             Alice Albright\n                  Chief Operating Officer\n\n\nSubject:          Audit of Information Technology Support for Export-Import Bank\'s Mission\n                  (OIG-xx-11-xx, December 16,2011 (Revision) - Response to\n                  recommendations.\n\n\n       We appreciate your providing us with an opportunity to review a draft of the report and\nthe cooperation and subsequent reviews of the document with your auditors.\n\n       With regard to your memorandum of November 25, 2011, and the revision of the draft\ndocument dated December 16, 2011, following are management\'s response to five of the\nrecommendations from the BDO USA, LLP ("BDO") report provided during their audit of the\nInformation Technology Support for Export-Import Bank\'s Mission. Management responses to\nrecommendations 1, 3-6 are included in this letter.\n\n        Management agrees with the recommendations described in the BDO report. The Bank\nhas submitted requests for funding to upgrade its old custom designed (1990-type) applications\nsystems and will continue to enhance and improve on its processes and using technology as a\nresource multiplying strategy for supporting the expanding mission of the Ex-Im Bank supporting\nthe National Export Initiative (NEI).\n\n           The following letter addresses the recommendations 1 and 3 to 6.\n\nRecommendation 1\n\n\nWe recommend that the Executive Vice President and Chief Operating Officer:\n\n      1) Have the business owners individually and in aggregate reevaluate their business\n         requirements and minimum relevant data necessary to process transactions\n         involving complex structures and to monitor business operations. They should\n\x0c        then work with the Office of Information Technology to initiate, develop, and test\n        an integrated application that is aligned with those needs and in support of Ex-Im\n        Bank\'s mission.\n\nManagement Response - AGREE\nWe agree with the recommendation - The Ex-Im Bank has kicked off the first in a series of\nprocessing system projects that are being funded from the IT Investment fund recently made\navailable. The various project plans, including the Participant Hub, Working Capital automation,\nand Forms consolidation, all start with a detailed and thorough review of business requirements\nand strategic direction with the business owners. The project plans then establish a Business\nStakeholders Steering Committee and a pool of identified business users who will test and review\nany application development. The Business Stakeholders Steering Committee will have final say\non business requirements and on determining whether or not system proposals meet those\nrequirements.\n\nIn particular, one of the business operations with extremely complicated structures,\nTransportation Finance, has begun a streamlining/LEAN exercise. This project is targeted to be\ncompleted Summer 2012. As staff has acknowledged that the current processing system is a\nmill-stone around their neck, one of the final products to be developed will be a detailed set of\nsystem requirements that support the new business process. These system requirements will be\nused in the project plan for "automating" Transportation Finance.\n\nRecommendation 3 - 6\n\n\nWe recommend that the Executive Vice President and Chief Operating Officer:\n\n    3) Implement a bank-wide unique identifier to ensure that all new participants can\n       be readily identified and returning participants are associated with their\n       historical transactions.\n\n    4) Have the business owners revise the required minimum participant data\n       necessary to process an application. Ex-Im Bank should only process applications\n       that meet those minimum criteria.\n\n    5) Develop a formal data management policy and procedures to ensure complete\n       and accurate participant data is captured in Ex-Im Bank\'s centralized database\n       and define which information is required for reporting purposes. The policy and\n       procedures should include, as soon as possible, a clear definition and\n       management of participant identification so it can link participants to\n       transactions.\n\n    6) Require that the formal data management policy and procedures be a)\n       communicated to appropriate Ex-Im Bank employees; b) reviewed annually,\n       updated, and re-communicated accordingly; and c) stored in a readily accessible\n       medium.\n\x0cManagement Response - AGREE\n\n\n Management Response 3 - We agree with the recommendation - Ex-Im Bank has kicked off the\nfirst in a series of processing system projects that are being funded from the IT Investment fund\n recently made available. One project which has already commenced is the Participant Hub\nproject. One of the business requirements that has already been identified is that there be a\n bank-wide unique identifier to ensure that all new participants can be readily identified and\n returning participants are associated with their historical transactions. The Participant Hub\nproject plan commenced in November 2011 and is projected to be fully implemented by January\n2013. With implementation of the Participant Hub, Ex-Im Bank will have a bank-wide unique\n identifier and processes to ensure that all new participants can be readily identified and\n returning participants are associated with their historical transactions.\n\n Management Response 4 - We agree with the recommendation - Ex-Im Bank has kicked off the\nfirst in a series of processing system projects that are being funded from the IT Investment fund\n recently made available. There are two projects moving hand-in-glove. They are the Participant\n Hub and Forms Consolidation projects. As part of the business requirements process for each\nproject, business users are identifying the minimum required participant information for the\n Participant Hub and the minimum required participant (and other) information for processing an\n application. The Participant Hub project plan commenced in November 2011 and is projected to\nbe fully implemented by January 2013. Meanwhile, the Forms Consolidation project started\nDecember 2011 and is projected to be implemented by March 2012.\n\n Management Response 5 - We agree with the recommendation- Ex-Im Bank has kicked off the\nfirst in a series of processing system projects that are being funded from the IT Investment fund\n recently made available. One project which has already commenced is the Participant Hub\nproject. As part of the business requirements process for the project, business users are\n identifying the appropriate policies and procedures that will need to be established to ensure\n complete and accurate data is captured and maintained in the Participant Hub and the\n connected transaction processing systems. The Participant Hub project plan commenced in\n November 2011 and is projected to be fully implemented by January 2013.\n\nManagement Response 6 - We agree with the recommendation- One of the benefits that Ex-Im\nBank hopes to achieve from its processing system projects is full documentation of policies and\nprocedures that will be readily accessible to business users and communicated to the business\nusers. As the projects progress, documentation will be developed and reviewed by the business\nusers.\n\ncc:\t    Osvaldo Gratacos, Inspector General\n        Michael Cushing, Senior Vice President, Resource Management\n        David Sena, Acting Chief Financial Officer and Audit Liaison\n        Fernanda Young, Chief Information Officer\n        Michele Kuester, Vice President, Operations and Data Quality\n        Patricia Wolf, Financial Reporting Supervisor\n\x0cOffice of Inspector General\nExport-Import Bank of the United States\n811 Vermont Avenue, NW\nWashington, DC 20571\n202-565-3908\nwww.exim.gov/oig\n\x0c'